Drupal.org resets password

I believe Drupal.org has been hacked, and they’ve reset all password. The breach is the result of an attack that exploited a vulnerability in an undisclosed third-party application, not in Drupal itself.

“Malicious files were placed on association.drupal.org servers via a third-party application used by that site,” Ross wrote. “Upon discovering the files during a security audit, we shut down the association.drupal.org website to mitigate any possible ongoing security issues related to the files. The Drupal Security Team then began forensic evaluations and discovered that user account information had been accessed via this vulnerability.”

Drupal.org account holders will be required to change their password by visiting this link, entering their username or e-mail address, and following the link included in the e-mail message that follows.